Wednesday, February 17, 2010

Flash cookies


Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion. They are frequently used like standard browser cookies. Although their thread potential is much higher as of conventional cookies, only few users began to take notice of them. It is of frequent occurrence that -after a time- hundreds of those Flash-cookies reside in special folders. And they won't be deleted - never.
Some flash cookies properties are
  • They are never expiring - staying on your computer for an unlimited time.
  • By default they offer a storage of 100 KB (compare: Usual cookies 4 KB).
  • Browsers are not aware of those cookies, LSO's usually cannot be removed by browsers.
  • Via Flash they can access and store highly specific personal and technical information (system, user name, files,...).
  • Ability to send the stored information to the appropriate server, without user's permission.
  • flash applications do not need to be visible
  • there is no easy way to tell which flash-cookie sites are tracking you.
  • shared folders allow cross-browser tracking, LSO's work in every flash-enabled application
  • the company doesn't provide a user-friendly way to manage LSO's, in fact it's incredible cumbersome.
  • many domains and tracking companies make extensive use of flash-cookies.
  • These cookies are not harmless.
In order to track our flash cookie information we need to go to Adobe flash web site. There will a setting manager , its a special control panel that runs on your local computer but is displayed within and accessed from the adobe website. Adobe has no access to these setting, its completely users responsibility to change the setting as he requires it. Click on this link to access your security manager setting.  To change your settings, click the tabs to see different panels, then click the options in the Settings Manager panels that you see on the web page. The five tabs are Global storage settings, Global security settings, Global notification settings, website privacy settings, website storage settings.  To read more about those tabs click here
When SWF or FLV content is being played, the settings you select for Flash Player are used in place of options you may have set in your browser. That is, even if you have specified in your browser settings that you do not want cookies placed on your computer, you may be asked if an application that runs in Flash Player can store information. This happens because the information stored by Flash Player is not the same as a cookie; it is used only by the application, and has no relation to any other Internet privacy or security settings you may have set in your browser.
Similarly, the amount of disk space you let the application use has no relation to the amount of disk space you have allotted for stored pages in your browser. That is, when SWF or FLV content is being played, the amount of disk space you allow here is in addition to any space your browser is using for stored pages.
No matter how you may have configured your browser, you still have the option to allow or deny the application that runs in Flash Player permission to store the information, and to specify how much disk space the stored information can occupy.
Solution
Firefox Extension Better Privacy is a cookie manager for LSO flash objects and DOM storage objects. Local storage objects are placed on the computer by a flash application like the YouTube video player.
BetterPrivacy can stop them, . by allowing to silently remove those objects on every browser exit. So this extension becomes sort of "install and forget add-on". Usually automatic deletion is safe (no negative impact on your browsing), especially if the deletion timer is activated. The timer can delay automatic deletion for new or modified Flash-cookies which might be in use. It also allows to delete those objects immediately if desired.

With BetterPrivacy it is possible to review, protect or delete new Flash-cookies individually. Users who wish to to manage all cookies manually can disable the automatic functions. BetterPrivacy also protects against 'DOM Storage' longterm tracking, a browser feature which has been granted by the major browser manufactures.
To know more about flash cookies and how to's click the following links
Recommended comprehensive Flash cookie article (topic: UC Berkeley research report)
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
Privacy test:
http://netticat.ath.cx/extensions.html
Navigate to BetterPrivacy (right column)